Ethereum Denver: How to Monitor a Network on the Fly

Get the latest security news in your inbox.

Intro

Several weeks ago, I was presented with a unique network and security challenge. A friend of mine asked me to be part of a hackathon dubbed ETHDenver taking place in Denver, Colorado. Specifically, he asked me to help support network and security monitoring during the conference. My first question was: what exactly is ETHDenver? Even if you have only a basic knowledge of cryptocurrency, you’ve probably heard of Ethereum and blockchain, the technology that enables it. Well, ETHDenver is a new event that brings together some of the world’s foremost blockchain researchers, entrepreneurs, businesses, artists and coders.

In some regards, it was a “choose-your-own-destiny” event. Some attendees were there just to be part of the hackathon, whereas others were there to hear the various speakers. More on the hackathon in a few, but my primary challenge here was to set up, support, and monitor the network and security of that network for over 3000+ individuals over the course of 3 days. However, I also got to listen to the presentations and one of the biggest lessons I learned from attending this event was that blockchain has a multitude of applications beyond just cryptocurrencies.

Figure 1. ETHDenver Hackathon, February 16 - 18, 2018

Figure 2. Ethereum Artwork

The Blockchain: Much More than Cryptocurrencies

When I talk to people about the blockchain, they typically bring up Bitcoin, and rightfully so. Bitcoin is the leading cryptocurrency that operates via a blockchain. There are more cryptocurrencies than you can shake a stick at and each of them highlights some differentiating factor. At ETHDenver, the focus was on the Ethereum blockchain. According to the Ethereum website, “Ethereum is a decentralized platform that runs smart contracts: applications that run exactly as programmed without any possibility of downtime, censorship, fraud or third-party interference. These apps run on a custom built blockchain, an enormously powerful shared global infrastructure that can move value around and represent the ownership of property”. If you’re looking for a more detailed explanation, Blockgeeks provides a great background on the blockchain in simple terms. For example, Figure 3 below illustrates what the distributed ledger looks like as compared to a centralized or decentralized model. Ethereum’s claim to fame is the “smart contract”, and ETHDenver was all about how that contract can be used in innovative ways, other than just cryptocurrencies. That was what the event was all about and the main focus of the hackathon.

Figure 3. Blockgeeks’ Illustration of the Different Network Types

The Hackathon

As a security professional, the thought of a hackathon usually entails a weekend of caffeine, exploits, and the painful persistence involved in trying to compromise a target system. But hacking is so much more than just computer hacking, as you may already know. In the context of ETHDenver, the hackathon was about hacking code together to achieve your desired goal of leveraging the blockchain for a novel function. At the end of the weekend, seven winners were announced out of the hundreds who participated. The seven winners all had varying uses for the blockchain. From a security and infrastructure perspective, the one that stood out to me the most was a project dubbed Canteen. It was touted as a decentralized container orchestrator, and was essentially a peer-to-peer self-healing container network. If one node were to go down, the “stack” could be simply be rebuilt from a trusted peer in the blockchain, minimizing downtime. If only we had that for internet connections…

Monitoring Challenges and Other Woes

With a large conference, and especially a tech conference, there will be logistical issues. I think that might be a universal law somewhere. The first challenge we faced was that of time. Little time was provided to get infrastructure and security monitoring in place. We were given about a two-week window to set up everything that was needed, including Internet, wireless infrastructure and security monitoring. Thankfully, the internet circuit was ordered and delivered prior to the event. The wireless Access Points (APs) of choice were Cisco Meraki. With 3000+ users, there were approximately 45 APs in use at the infamous Denver Sports Castle.

The other area that required attention was network security monitoring (NSM). Based on our time and options, we opted to use USM Anywhere, by AlienVault. If you’re unfamiliar with this platform, it is essentially a cloud-hosted version of the company’s all-in-one security monitoring solution. The main UI is hosted and the sensors are deployed on site. This setup permitted NSM for the local network via the sensor and provided a centralized view into traffic from virtually anywhere. We ended up setting up a SPAN port of the switch where all of the wireless traffic eventually traversed. That traffic was sent to the USM sensor. USM Anywhere permitted the monitoring of the network from other locations and not just from the physical conference location. All in all, the setup was a breeze and it took less than about an hour to get up and running (plus or minus a few minutes to download the on-site sensor). Figure 4 illustrates the USM dashboard.

Figure 4. The Main UI for USM Anywhere

Finally, the largest challenge that plagued us on day one was an Internet outage. It was eventually resolved, but due to network congestion and faulty business class cable modems, we definitely had our work cut out for us. True to the distributed blockchain nature of the conference, we ended up having to further segment the networks, on the fly, via dedicated cable modems (as seen in figure 5).

The story wouldn’t be complete if I didn’t mention that some of the alerts we received via USM Anywhere were related to Ethereum traffic (figure 6).

Figure 6. Ethereum Traffic Alerts via USM

Deception to Add Context

As an added area of research, I ended up deploying two instances of MazeRunner Community Edition. This was done not only for my own edification, but also because in an untrusted network it was a way to help with early detection of nefarious behavior. Essentially, this technology was deployed to various segments of the network and acted much like a high-interaction honeypot. The alerts from the system were directed to the USM Anywhere sensor, which allowed for centralized monitoring. Aside from scanning, no one else seemed to want to discover more about these systems—they were probably too focused on hacking some code together.

Observations and Conclusion

All that said, here are some of the takeaways and things to think about if you’re ever in a position where you need to provide similar services for a hackathon or other conference:

Plan appropriately for bandwidth (both Internet and wireless). If 2.4 GHz is not needed, consider forcing clients to use 5GHz for quicker speeds.

Have a back-up internet connection, especially if the conference is doing live streaming.

Ensure that your network can be monitored from a utilization and security perspective.

Incident response looks very different on an untrusted network. Knowing if something is up being a big priority for us (via NSM and accounting for possible deception technology). Being able to ban or restrict an end user might be your only defense or containment option.

Setting up secure remote access helps untether you from the physical conference location.

Overall, participating in this event was a great learning experience and one way to give you confidence in your abilities. From my perspective, it was also great to learn about new and emerging technology, but that’s what it’s all about, isn’t it?

Contact

Matt Hosburgh is a passionate security practitioner, working to help organizations identify what they’re trying protect and who their adversaries are. Currently a Cyber Threat Hunter for a Philadelphia based company, he is also the lead for the company’s Incident Response activities.,
,Matt began his InfoSec career while serving in the U.S. military. During these foundational years, he supported systems and networks for the Intelligence Community. After the Marine Corps, he transitioned from his military role to work as a Senior Security Analyst for United States Citizenship and Immigration Services (USCIS). During his time at USCIS, he was an integral part of the Security and Network Operation Center (SNOC) and the Computer Security Incident Response Team (CSIRT). Following that responsibility, Matt was the Senior Security Engineer for a mid-stream oil and gas company where he supported the company in securing both IT and Operational Technology (OT) systems.,
,Matt holds a graduate degree from the SANS Technology Institute, and maintains several GIAC Certifications, including the GSE.